MIM LAB6: The AD MA and Run profiles

This post is part of a series. The chapter index is located here.

In this lab we will configure the firs AD management agent and set up run profiles.

Creating the first AD MA

Most MIM installation are made to handle a single forest, or maybe even a single active directory domain. As mentioned in the index, I am planning a multi-forest lab. Each forest needs its own AD management agent, and in this chapter we configure it.

 

Create a service account in the target domain/forest

Create an account called MIMADSync and make it a member of domain administrators. This account is for the AD MA.

 

Start the wiazard

Start by opening the Synchronization Service Manager and click Management Agents, then Create. Select Active Directory Domain Services as the type of MA:

 

image

 

I have named it “AD MIM.local”, but the name is not important.

 

Connect to AD Forest

  • Forest name: mim.local
  • User name: MIMADSync
  • Domain: MIM
  • Options: Enable Sign and Encrypt LDAP Traffic

image

 

Configure AD Partitions

  • Select the MIM.local partition.
  • Select the MIM OU  as the container. This limits MIMs sphere of influence in AD.

 

image

 

Configure provisioning hierarchy

  • Accept defaults.

image

 

Select object types

  • Add group
  • Add User

image

 

Select attributes

  • Check “Show All” to list all attributes.
  • Select the following attributes:
  • company
  • displayName
  • employeeID
  • employeeType
  • givenName
  • groupType
  • managedBy
  • manager
  • member
  • objectSid
  • sAMAccountName
  • sAMAccountType
  • sn
  • unicodePwd
  • userAccountControl

 

image

 

Complete the wizard

Accept default for the remaining pages.

 

Create Run Profiles

Run Profiles are managed in the “Configure Run Profiles” dialog in Synchronization Service Manager. For this setup, we will just give them a name and select a step type. There are a lot of other options to play with if you whish, or you can just accept the defaults for now.

You begin with giving it a name. You can choose any name you want, but it is easier if you use one that reflects what the profile does.

image

 

The next page lets you select a step-type. Run profiles can have multiple steps.

image

image

 

Create run profiles according to the table below for BOTH management agents.


                

Name Type
Full
Import
Full
Import (Stage Only)
Full
Sync
Full
Synchronization
Delta
import
Delta
import
Delta
Sync
Delta
Synchronization
Export Export

 

Configure the MIM Service

Now it is time to create the AD user inbound sync rule in the portal. Got to the Administration part of the portal and select Sync Rules:

image

  • Create a new rule by clicking New.
  • Supply a display name. I named it “MIM.local user inbound sync”.
  • Select Inbound data flow and move to the Scope page.

image

  • Metaverse resource type: Person
  • External System:  AD MIM.local (the name of the AD management agent)
  • External system resource type: user
  • Move to the Relationship page

image

  • Use objectSID as the relationship criteria.
  • Enable “Create resource in MIM”
  • Move to the Inbound Attribute Flow page.

image

 

  • Define flow rules according to the following table:



Source Destination
samAccountName accountName
displayName displayName
EmployeeType employeeType
givenName firstName
sn lastName
Manager manager
objectSID ObjectSID
“MIM” domain

 

Note that we flow a constant string to the domain attribute.

image

 

Click Finish and then Submit to complete the wizard.

The end of MIM LAB 6

This post is part of a series, and the chapter index is located here.

In the next chapter, we will test the run profiles and enable provisioning.

Author: DizzyBadger

SQL DBA Principal Analyst

1 thought on “MIM LAB6: The AD MA and Run profiles”

Leave a Reply